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Abstract —In this paper we extend the notion of locally re¬ 
pairable codes to secret sharing schemes. The main problem that 
we consider is to find optimal ways to distribute shares of a 
secret among a set of storage-nodes (participants) such that the 
content of each node (share) can be recovered by using contents 
of only few other nodes, and at the same time the secret can 
be reconstructed by only some allowable subsets of nodes. As 
a special case, an eavesdropper observing some set of specific 
nodes (such as less than certain number of nodes) does not get 
any information. In other words, we propose to study a locally 
repairable distributed storage system that is secure against a 
passive eavesdropper that can observe some subsets of nodes. 

We provide a number of results related to such systems 
including upper-bounds and achievability results on the number 
of bits that can be securely stored with these constraints. In 
particular, we provide conditions under which a locally repairable 
code can be turned into a secret sharing scheme and extend the 
results of secure repairable storage to cooperative repair and 
storage on networks. Additionally, we consider perfect secret 
sharing schemes over general access structures under locality 
constraints and give an example of a perfect secret sharing 
scheme that can have small locality. Lastly, we provide a lower 
bound on the size of a share compared to the size of the secret 
that shows how locality affects the sizes of shares in a perfect 
scheme. 

I. Introduction 

Secret sharing schemes were proposed by Shamir and 
Blakley [3], [22] to provide security against an eavesdropper 
with unbounded computational capability. Consider the secret 
as a realization of a (uniform) random vector S over some 
support. Define [n\ := {l,2,...,n} and let 2^ denote the 
power set for set A. Suppose that shares of the secret are to 
be distributed among n participants (storage nodes) such that 
a set of shares belonging to As C 2N, is able to determine 
the secret. As is called the access structure of the secret 
sharing scheme. Denote the random variable corresponding 
to the share of a participant (or node) i £ [n] by Ci and 
let C = {C 1 C 2 ■ ■ ■ Cn)- Let xa denote the projection of the 
vector a; £ F" to the co-ordinates in A C [n]. For a singleton 
set A = {)} let Xi := x^^y A secure scheme has the property 
that a subset of shares in the block-list Bs C2N are unable to 
determine anything about the secret. Thus, H{S\Cb) = H{S) 
for any B € Bs and H{S\Ca) = 0 for any A £ As, where 
H{-) denotes the entropy'. For a standard monotone secret 
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sharing scheme the classes As and Bs must have the following 
properties, 

A A A, A & As A' £ As 
B' CB,B€Bs B' &Bs 
and 

Bs C 2^ \As. 

For a perfect secret sharing scheme we have the above 
monotone property and Bs = 21"! \ As. Perfect schemes for 
access structures of the form As = {A C [n] : |A| > m} are 
called threshold secret sharing schemes. We refer to [2] for a 
comprehensive survey of secret sharing schemes. 

A convenient property of schemes that need to store data 
in a distributed storage system is local repairability [8] i.e. 
any storage node can be repaired by accessing a small subset 
of other nodes, much smaller than is required for decoding 
the complete data. Error-correcting codes with the local repair 
property - locally repairable codes (LRC) - have been the 
center of a lot of research activities lately [4], [8], [16], [24]. 
Consider an n length code over a g-ary alphabet, C C 
of size \C\ = . The code is said to have locality r, if for 

every i, 1 < i < n, there exists a set TZi C [n] \ {)} with 
\TZi\ < r such that for any two codewords u,u' £ C satisfying 
Ui 7 ^ It', we have uti. ■ In a code with locality r, 

any symbol of a codeword can be deduced by reading only 
at most r other symbols of the codeword. For application in 
distributed storage, the code is further required to have a large 
minimum distance d, since that helps recovery in the event of 
a catastrophic failures (i.e., up to d — 1 node failures). It is 
known that [8] for such a code, 

d < n — k — \k/r] + 2, (1) 

which is also achievable [16], [24]. A g-ary code of length n, 
size and locality r will be called an (n, k, r)g-optimal LRC 
if it’s minimum distance satisfies (1) with equality. 

Security in distributed storage has recently been considered 
in a number of papers, for example [9], [17], [20], [25] 
and references therein. In these papers the main objective is 
to secure stored or downloaded data against an adversary. 
Threshold secret sharing protocols over a network under 
some communication constraint has been considered in [21]. 
Problems most closely related to this paper perhaps appear in 
[18] where a version of threshold secret sharing scheme with 
locality has been studied. Motivated by the above applications 
in distributed storage, we analyze secret sharing schemes with 
different access structures such that shares of each partici¬ 
pant/node can be repaired with locality r. 
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A. Contributions and organization 

Our contributions in this paper are summarized in the 

following list. 

1) Distributed storage. We provide bounds and achievability 
results for a locally repairable scheme for access structure 
and block-list, As = {A C [n] : | 2 l| > m} and 
Bs = {B C [n] : \B\ < £}, respectively. As evident 
from dehnition 1, this access and block structures model 
a simple distributed storage scenario. We assume that the 
shares of the secrets are locally recoverable and at the 
same time an adversary observing up to £ shares does 
not get any information. A more general version of this 
model that also considers repair bandwidth as a parameter 
appears in [18]. In section II we also address the conditions 
under which a locally repairable error-correcting code can 
be converted into a secret sharing scheme with the above 
access structure. 

Comparison of this part with results of [18]: In [18], 
bounds on secrecy capacity for regenerating and locally 
recoverable codes have been derived using information 
theoretic inequalities, and achievability of these bounds 
using schemes that require Gabidulin precoding technique 
has been shown. 

Our method to prove the converse result is different from 
that used in [18]. One advantage of our technique for 
the bound in section II is that it can be easily applied 
to cooperative repair (section III) and repairable codes on 
graphs (section IV). 

We provide a random coding argument using network flow 
graphs to show the existence of an achievability scheme 
for the bound, and also adapt the method of [18] for 
more general scenarios mentioned above (i.e., cooperative 
repair and repairable codes on graphs). For these scenarios, 
we use lemma 6 and Gabidulin precoding to construct 
transformations to form secure schemes from existing non- 
secure locally repairable codes. 

2) Maximal recoverability. The Gabidulin precoding described 
above can be used to construct optimal codes but requires 
an exponentially large (in n) alphabet size. A simple 
construction of secret sharing schemes from LRCs is 
provided in eq. (14). We specify in lemma 6 the additional 
constraints that an optimal LRC would have to satisfy 
to be able to construct optimal secret sharing schemes 
in this method. This shows that to construct an optimal 
secure scheme with small share size we essentially need 
a maximally recoverable code over small alphabet (see 
theorem 8). 

3) Perfect secret sharing with small locality. In section V, 
we consider perfect secret sharing schemes over general 
access structures under locality constraints. While we show 
that for threshold secret sharing schemes, there cannot exist 
any non-trivial local repairability, we give an example of a 
perfect secret sharing scheme that can have small locality. 

4) Lower bound on the size of shares in terms of the size of 
the secret. Furthering the result of [5] to locally repairable 
schemes we provide an analogous lower-bound on the size 
of a share compared to the size of the secret. We further 


show how locality effects the sizes of shares in a perfect 
scheme as they relate to the size of the secret. These results 
are presented in section V (see theorem 14). 

5) Extension. We extend the notion of security to cooperative 
local repair [19] where a Distributed Storage System can 
deal with simultaneous multiple node failures. We provide 
upper-bounds on the secrecy capacity and construct achiev¬ 
able schemes for this scenario in section III. 

6) Extension. A different and practical generalization for 
secret sharing scheme is made in which the Distributed 
Storage System is represented by a graph Q such that a 
node can only connect to its neighbors in Q for repair. 
This scenario has been considered in section IV. 

II. A SECRET-SHARING SCHEME FOR DISTRIBUTED 
STORAGE 

We Start this section by formally dehning a secret sharing 
scheme for a particular, common access structure and block- 
list: = {A C [n] : |A| > m} and Bs = {B C [n] : \B\ < 

£}. For a code C C F” and set I C [n] dehne Ci := {tc/ S 
-.x&C). 

Definition 1. An {n,kAittt,r)q-secret sharing scheme con¬ 
sists of a randomized encoder f that maps a uniform secret 
€ Fg randomly to C — f{S) € F^, and must have the 
following three properties. 

1) (Recovery) Given any m symbols of C, the secret S is 
completely determined. This guarantees that the secret is 
recoverable even with the loss of any n — m shares. 

H{S\Ci) C[n],\I\=m (2) 

2) (Security) Any set of £ shares of C does not reveal 
anything about the secret. 

H{S\Cj)=H{S),'iJC[nUJ\=£ (3) 

A scheme satisfying this condition is called [-secure. An 
eavesdropper that can observe £ nodes is called an £- 
strength eavesdropper. 

3) (Locality) For any share, there exist at most r other shares 
that completely determine this. For all i, there exists TZi C 
[n] \ {j} : \'R.i\ < r, such that 

H{C,\Ctz,)=0 (4) 

TZi is called the recovery set of share i. 

The maximum amount of secret that can be stored as 
a function of n, £, m and r is called the capacity of the 
secret sharing scheme and in the following we provide exact 
characterization of this quantity. We can define the security 
condition above in a modified way where the eavesdropper is 
allowed to see any set J C [n] of shares and we calculate 
the amount of information revealed, i.e. I{S;Cj), in terms 
of n,k, \J\,rn and r in an optimal scheme. This extension is 
easy from our result and somewhat summarized in corollary 4. 

Note that, for locally repairable schemes with no security 
requirement i.e. £ = 0 the following lower-bound on m is 
apparent from (1), 


m>k-\-\k/r~\—1 


( 5 ) 
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This lower bound follows from the definition of the minimum 
distance of a code d = n—m+1. In the subsequent, we provide 
the fundamental limit on secrecy capacity and constructions 
achieving that limit. 

As mentioned in the introduction, a generalized version 
of this type of secret-sharing scheme that include repair- 
bandwidth and other parameters was studied in [18]. Our 
theorems 2 and 5 can be obtained as a consequence of 
results of that paper. We still provide different proofs of these 
results as the concepts introduced will be useful for later 
developments. 


A. Bounds 


Let us first prove an immediate and naive upper bound on 
the capacity of a locally repairable secret sharing scheme that 
follows as a consequence of Eq. (5). 

Proposition 1. For any (n, k, I, m, r)q-secret sharing scheme. 


k < m — i — 


m — i 
r + 1 


Proof: Consider the randomized encoding / of any 
(n, fc, m, r)-secret sharing scheme. For any secret s S F^, 
define the support of the map f{s) to be supp(/(s)) = {x G 
F” : Pr(/(s) = x) ^ 0}. Clearly for any pair s, s' G F^ 
s 7 ^ s', supp(/(s)) nsupp(/(s')) = 0. 

Suppose, for some s G F^, x G supp(/(s)). Let I C [n] 
and |/| = Note that, for each s' G F^ \ s, there must 
exist 2 ; G supp(/(s')) such that zj = xj (from the Security 
property). Let C C {z G supp(/(s')) : s' G F^ and zj = x/} 
such that \C n supp(/(s'))| = IVs' G F^. We have C C F” 
and \C\ = q^. Moreover, from the Recovery property, any m 
coordinates of a vector in C must be unique, which implies C 
has minimum distance at least n — m + 1. 

Since {/(s) : s G F^} has locality r any set C C {/(s) : 
s G F^} must have locality r. Since, all the codewords in C 
have fixed value on the co-ordinates /, G F” ^ must 

be a code of length n — ^ and locality r. Moreover, C[n]\/ has 
minimum distance at least n — m-\-l (same as C). Now from 
eq. (1) we have, 

n —m + \<{n — tj — k — |"fc/r] + 2 
-4=^ k + \k/r~\ —1 < m — £ (6a) 

m — i 


k < m — £ — 


r + 1 


(6b) 


Theorem 2. Any (n, k, £, m, r)q-secret sharing scheme must 
satisfy. 


k + £ < m 


m 

r + 1 


( 8 ) 


The upper-bound in eq. (8) can also be obtained from [18, 
Theorem 33] where the authors use a different method. It 
should be noted that eq. (8) is equivalent to eq. (7). We see 
that eq. (7) eq. (8) by replacing both sides in eq. (8) by 
the increasing function /ncro(x) := x— [x/(r-|-l)J. Similarly 
eq. (8) => eq. (7) by replacing each side with the increasing 
function Incri{x) := x + \x/r \ — 1. This follows because of 
the following fact. 


Claim 3. For x,y,r G Z+, 


y = x 



x = y- 


y 

r + 1 


(9) 


Proof: Let x = qr + w, w < r. Then, we have. 

*+m-i 


- 1 - 


r +1 


= X + q- 


= X 


'W 

1 

qr + w + q+\f]-l 

r 


r + 1 


'W 


w+\^]-l 

r 


r -1- 1 


- 1 


= X 


(10a) 

(10b) 

(10c) 

(lOd) 


where eq. (lOd) follows since 


r+1 


-1 = 0 for 


tu G [0,r — 1]. Now, substituting ?/ = x-f — 1 in eq. (10a) 
we have, eq. (9). ■ 

Proof of theorem 2: Let = {T^iUji}}. Recall that we 
can recover the secret S from any m symbols in the n length 
word f{S) = C. We construct an m-subset A4 C [n] such that 
|{z : Ai C Ai}\ is maximized. Suppose, Ai' = TZi. 


i-.KiQM 

We have F[(Cm\Cm') = 0. Moreover F[{S\Cm) = 0. 
This implies. 


H{S\Cm') = ^- 


Now we can select any ^-subset £ of M' and assume 
that the eavesdropper observes that set. Therefore, Fl{S) = 
F[{S\Cc) must be less than or equal to the number of symbols 
in M' \ C. Formally, 


where eq. (6b) follows by replacing both sides of eq. (6a) by 
Incro{k + \k/r'] — 1) and Incr^im — £) respectively, where 
Incro{.) denotes the increasing function Incro{x) := x — 

tttJ- ■ 

This naive bound in eq. (6a) is not the best possible: it can 
be further improved to 


k + £ + 


k + £ 
r 


1 < TO. 


(7) 


To prove (7), instead of trying to use eq. (1) as a black-box, 
we follow its proof method [4], [8]. 


k = H{S) = H{S\Cc) < H{Cm'\Cc) < \M' \ C\ 

= \M'\-£. (11) 

This observation will lead us to eq. (8). We describe below, 
the only remaining task: the method for constructing the set 
Ai described above, and show that it gives us eq. (8). The 
construction for A4 is given in algorithm 1. 

Note that algorithm 1 may not actually give the set con¬ 
taining the maximum number of but it would suffice to 
prove the bound in eq. (8). Let ly denote number of sets A^ 
added to Ai^. We have, |Ai| < r + l,Vi. So the maximum 
size of the set added in each step is r + 1. Since |A1| = to 
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Data: TZi for all i 

Result: M. C [n], \ A4 \ = m containing at least 
[m/(r + 1)J recovery sets 

1 j = 0; = 0 

2 choose any t G [n] 

3 while \M^ U {At}| < m do 

4 U At 

5 choose t ^ 

6 J = j + 1 

7 end 

8 if \Jvi^ U At| < m then 

9 I U At 

10 else 

11 X = any (m — |A/1-^ |)-subset of [n] \ Af^ 

12 Afi+i = AIJ U X 

13 end 

14 .7 = j + 1 

15 A1 = Afi 

Algorithm 1: Constructing a set Af C {1,2,..., n} to 
maximize |{i : At C M]\ 


by construction, when the algorithm ends at line 9 we have 
. If the algorithm ends at line 10 we must have, 

J. Evidently we have constructed a set A4 such that 


V > 

V > 


r+l 

m 

r+l 


|Af'| = |Af I — v <m— +-j-J . From eq. (11) we have. 


k < m — 


m 

r+l 


-L 


( 12 ) 


Using eq. (11) we can show the following. 

Corollary 4. There exists a set J C [n] with I < |J| < 
+yJ such that. 


m — 


H{S\Cj) <m- 


\J\. 


(13) 


Equation (13) gives an upper-bound on the maximum am¬ 
biguity of the secret of an (n, fc, m, r)-scheme when the 
eavesdropper has access to more than £ shares. 


B. Constructions 

It is possible to show matching achievability results to 
theorem 2 by a number of different methods. 

Theorem 5. There exists a (n,k,£,m,r)-secret sharing 
scheme such that eq. (!) is satisfied with equality. 

In particular this theorem can be proved by constructing 
a random linear network code. We delegate that proof to 
Appendix B. 

The achievability result also follows from [18], that gives 
a construction for optimal secure LRC employing Gabidulin 
codes to satisfy the security constraint. In the subsequent we 
describe their method, adapted for our scenario, because this 
will be useful later in our paper when we consider more 
general secret sharing schemes. 


An intuitive construction of ^-secure schemes comes by 
replacing some inputs to a LRC with uniform random vari¬ 
ables. Formally, consider a linear code C with code-length n 
and dimension (k + i). Let G = \G^ G^] G be 

the generator matrix of this code such that G^ G and 

G2 g Let a G be the input to the encoder of 

C (i.e., the codeword is generated by multiplying a with the 
generator matrix of C). Denote by s G the input we want to 
store securely. We construct an f-secure secret sharing scheme 
using C by taking, 

a = [l] (14) 

where r G F^ is an instance of uniformly distributed random 
vector. This scheme is ^-secure if and only if for any i linearly 
independent rows of G the corresponding rows of G^ are 
linearly independent. 

Lemma 6. Let = [gnga . ■. gi{k+t)\fi S [t] be any t 
linearly independent rows of G. The secret sharing scheme 
constructed in eq. ( 14) is i-secure if and only if the corre¬ 
sponding row vectors g\ = [giigi 2 . ■. gu]fi G [£] of G^ are 
linearly independent. 

The proof of lemma 6 is given in Appendix A. Note that 
using lemma 6 we can add the security property to any linear 
code; we do not assume any locality property for the generator 
matrix G. But, it is clear that if the generator matrix G has 
locality r, then so would the scheme constructed in eq. (14). 
The construction of an optimal {n,k,£,m,r)q scheme is 
described in the following. 

Gabidulin precoding construction: Let N be an integer. The 
points ai G VqN,i G [n] can be represented as vectors in 
F^ and are said to be Fq-linearly independent when the 
corresponding vectors over Fg are linearly independent. A 
Gabidulin code from F^„ —>■ F"w, for input (/ 1/2 ■ ■ ■ fk),fi G 
FqN, is obtained by evaluating the linearized polynomial 
®(2/) = Sfci n Fg-linearly independent points 

ai G ^qN,i G [n]. The linearized polynomial 0(j/) has the 
following linearity property, 

Q{ax-\-by) = aQ{x)-\-bQ{y) (15) 

for all x,y G F^w and a,b G Fg. Note that, we need N > n 
to obtain n F^-linearly independent points in F^w. 

Consider the generator matrix, G = [gi ... of a linear 
(n, fc + £,r),-optimal LRC, where g, = [g*i ... gi(fe+^)]^. 
Consider a = {s r), where r is an instance of uniformly 
distributed random variable in F^jv and s G F^^, N > n, 
denotes the secret. First, a is precoded using a Gabidulin 
code, r : —>• F^J^^ which is obtained by evaluating the 

polynomial, 

k+t 

4'a(y) = (^^^ 

at the Fg-linearly independent points ai € N,i G [k + £]. 
Now, representing r(a) G as a matrix of size {k + 

£) X N \t\ Fg, each column of the matrix can be encoded 
independently using the generator matrix G for the optimal 
LRC to get = c G F”^. It is easy to show that this 
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construction is f-secure. The optimality of the scheme then 
follows from the optimality of the initial linear LRC. The proof 
of security of this construction is given below. 

Proof of theorem 5 with the Gabidulin construction: 
Assume without loss of generality (wlog) that the eaves¬ 
dropper observes £ = \l] [n] symbols Ci,i S £. Let 

G = Further assume that the rank(G) = I, 

since otherwise the f-strength eavesdropper is equivalent to 

k+l 

an rank(G)-strength eavesdropper. Let on = E 9ij ^ i ^ £ ■ 

Then since G is full-rank {fiijjgg are Fq-linearly independent. 
Therefore, using eq. (15) we have, 

k+e 

Ci = ^ ' gij 4'a {ctj ) 
k+l 

3 = 1 

Let R, S, C be the random variables corresponding to the 
vector r, the secret s, and the node shares C = {Ci)i. To 
prove security we use the secrecy lemma in [18, Lemma 4], 
to show that H{Cs) < H{R) and H{R\S,Cs) = 0 imply 
H{S\Cs) = H{S). Indeed, H{S\Cs) < H{S), and 

H{S) -f H{R) = H{S\R) + H{R) 

= H{S,R) = H{S,C£,R) 

= H{C£)+H{S,R\C£) 

= HiCs) + H{R\S, Cs) + H{S\C£) 

= H{Ce)+H{S\C£) (17a) 

<H{R)+H{S\C£) (17b) 

where eqs. (17a) and (17b) follow from the assumptions 
H{R\S,C£) = 0 and H^Ce) < H{R) respectively. On the 
other hand, assuming that the eavesdropper also knows s (in 
addition to eg), she/he has 

k i 

c* = c*-E' = E \i^£- 

3=1 3=1 

j—l 

Since B = [a® is full rank, the eavesdropper can 

compute [ci... ce]B~^ = [ri... rg]. Thus, H{R\S, Ce) = 0. 
Now H^Ce) < H{R), since |F| < f. Therefore, we have an 
{n,k,£,m,r)qN-secret sharing scheme. ■ 

C. Constructions with small alphabet size: equivalence with 
maximal recoverability 

Note that, the size of the alphabet/shares in the construction 
of optimal secure scheme using Gabidulin codes is exponential 
in the number of nodes. In this section, our aim is to show 
that the construction of an optimal secure scheme with small 
alphabet size will amount to finding a maximally recoverable 
code over that alphabet. We use the construction in eq. (14) 
to form a secure scheme from an optimal LRCs with a small 
alphabet and analyze the conditions for that construction to 
satisfy lemma 6 . We assume (r -f l)|n i.e. r -f 1 divides n for 
simplicity in this subsection. 


We will need the following definition of maximally recov¬ 
erable codes [7]. 

Definition 2. Consider an (n, fc, r)q-optimal LRC. Let Qj : 

12/1 = ^ + + 1 )] denote a partition of [n] such 

that the recovery set of ith coordinate is, 

n^ = Q{^)\{^},y^e[n], (18) 

where Q(i) € {Qj}j the partition containing node i. Denote 
such an LRC by {n,k,r,{Qj}j)q. The in,k,r,{Qj}j)q LRC 
is called maximally recoverable if the code obtained by 
puncturing any one symbol from each Qj is maximum distance 
separable (MDS). 

Note that, in [8], it was pointed out that an optimal linear 
LRC must have the recovery structure as in eq. (18). 

The main objective of this section is to show that the im¬ 
mediate construction of (n, fc, m, r)-secret-sharing scheme 
from an optimal LRC is effective if and and only if the code 
is maximally recoverable. 

Lemma 7. For any linear (n, k-\- {Qj}j)q -optimal LRC 
code with a generator matrix G C cQfigidgy g c 

[n] : |iS| = £ and |iS H Q^j < r,j G [n/{r + 1)]. Then, the 
rows corresponding to S in G are linearly independent for 
any £ such that 


Proof: Partition S as follows, S = Ujg[„/(r+i)] 

Sj = 5 n Qj and let A {j : Sj 7 / 0}. Consider a set 
S' D S : \S'\ < k-\-£ and define S'j := S'nQj. Suppose that 
we can construct S' with S'j < r,\/j G \n/{r -f 1)] such that 
the number of partitions Qj that contain r co-ordinates of S' 
is at least \{k -\- £)/r \ — 1. Let T* := {j : S'j = r}. Thus, 

\'f\>\{k + £)/r]-l ( 20 ) 

Construct a set S" Q S' by adding fc -f £ — |<S' | co-ordinates 
to S' such that, [S'" fl Q^j < r, Vj G \n/{r-\- 1)]. Now at least 
Irk I more co-ordinates are recoverable from S". Note that the 
input a for (n, k £,r, {Qj }^ )q-optimal LRC is recoverable 
from any m = {k -\- £) -\- \{k £)/r] — 1 co-ordinates and 

|iS"| -f |'k| > TO. Thus, a is recoverable from cs". Now, since 
I S'" I = k-\-£ the rows of G corresponding to S" (and hence S) 
must be L.I. We are now left with the task of constructing a set 
S' satisfying eq. (20) for the given S with |S| = £ satisfying 
eq. (19). The construction is given below. 

For |A| < fc/(r — 1) we can easily construct S'. Since 
|A| < k/{r — 1) |A|r < /c -f £, we can choose T'(A 

A) : IT'I = Now to each of the partitions 

add r — |Sjj co-ordinates from Qj to get a set S' of size 
r[(fc -f £)/rJ < /c -f £. It is easy to see that this set satisfies 
eq. ( 20 ). 

Now assume that |A| > k/{r — 1). Choose any 4* C A : 
IT'I = [fc/(r — 1)J. Select any r — jiSjl co-ordinates from Qj 
for all j G 4'. Adding these co-ordinates to S, we get S' 
satisfying |<S'| < [/c/(r' — 1)J (r — 1) -f £ < A; -I- £. Thus, from 
eq. (19) we have, 

14-1 + 1 - \{k + £)/rl > [k/{r - 1)J - ^ 
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> [k/{r — 1)J-(1 + [k/{r — 1)J — k/r — 1/r) 

= -( 1 - 1/0 


Definition 3. A set C C is said to be (r, S)-repairable if for 
every AC [n] : |A| <5 there exists a set TZ{A) C [n] \ A : 
|72.(A)| < r such that for all c, c! C C, 


Since \{Qj : |Qj n 5'| = r}| + 1 — [(A: + l)/r'] is an integer, 
m' + 1 — \{k + l)/r'] > 0, S' satisfies eq. (20). ■ 

For i < r, the construction (in eq. (14)) using an optimal 
LRC code is ("-secure since any i rows of G\ form an ( x ( 
Vandermonde matrix. For ( > r, we have the following result, 
using dehnition 2 and lemma 7. 

Theorem 8. Consider a linear (n, k + £,r, {Qj}j)q -optimal 
LRC C. Then the construction in eq. (14) using code C is l- 
secure if there exists C CC of dimension £ such that C is max¬ 
imally recoverable. Conversely, if the construction in eq. (14) 
is £-secure then there must exist a maximally recoverable code 
C QC of dimension £, for £ < r — 1 -\- (r [fc/(r — 1)J — k) 
Proof: Let G = [G^ G^] C -^nx^k+i) generator 

matrix of C where G^ C Let G^ be the generator matrix 

of a maximally recoverable code C. Consider a set 77 C [n] 
of any £ linearly dependent rows of G^. Since C is maximally 
recoverable, Qj C V for at least one j G [n/{r -f 1)]. Hence, 
the corresponding rows in G must also be linearly dependent. 
Thus, from lemma 6 the secret sharing construction in eq. ( 14) 
must be (-secure. 

Now, suppose that C does not contain any subcode of 
dimension £ which is maximally recoverable. Then, the code 
generated by G^ is not maximally recoverable. Thus, there 
would exist an 5 C [n] : |iS| = ( and |iS C Qj\ < r,\/j C 
[n/{r -f 1)] such that the rows in G^ corresponding to S 
are linearly dependent. Now from lemma 7 we know that the 
rows corresponding to 5 in G are not linearly dependent for 
£< r — 1 -\- (r[fc/(r — 1)J — k). Hence, from lemma 6 the 
secret sharing scheme cannot be £ secure. ■ 

Recently an optimal construction of locally repairable codes 
was proposed in [24] by Tamo and Barg for general values of 
the parameters n, k, and r and alphabet size of 0{n). Our 
theorem 8 implies that the secret sharing scheme constructed 
in eq. (14) using such code is (-secure if and only if the Tamo- 
Barg codes are maximally recoverable. In general these codes 
are not maximally recoverable. It should be noted that, it is 
quite a nontrivial open problem to construct maximally recov¬ 
erable codes with linear or even polynomial (in blocklength) 
alphabet size [7]. 

In the next two sections we extend the notions and results 
of section II to other generalized repair conditions related to 
distributed storage. 

HI. Security for Schemes with cooperative repair 

Cooperative repair for a locally repairable scheme addresses 
simultaneous multiple failures in a distributed storage system 
[19]^. To this end, we extend the definition in eq. (4) to a 
(r, (5) scheme where any 5 -instead of just one- shares can be 
recovered from r other shares. 

^There is a related notion of cooperative recovery in regenerating codes 
[23] and security in such systems [12]. In this paper we are concerned with 
only the local recovery problem, and not the regenerating problem. 


Ca f c'a 


c-R(A) f (^n{/x) 


( 21 ) 


Using definition 3 we can generalize the notion of an 
(n, fc, (, m, r)q-secret sharing scheme. For this system we de¬ 
rive an upper bound on the capacity k given n, m, (, r, and S. 

Definition 4. An (n,k,£,m, (r,S))q-secret sharing scheme 
consists of a randomized encoder /(.) that stores a file s G F^ 
in n separate shares, such that the scheme is (r, S)-repairable 
(definition 3), satisfies the recovery condition (cf. eq. (2)) and 
£-secure (cf. eq. (3)). 


A. The case of m =n 

Error-correcting codes with (r, 5)-repairability were consid¬ 
ered in [19] (( = 0 or no security) and the following upper- 
bound on the rate of such codes has been proposed, for the 
case of m = n. 

k. r 

( 22 ) 


k 

R = - < 
n 


5' 


For the case of (-secure codes we give an analogous upper 
bound on the rate of a secret sharing scheme in the following. 


Theorem 9. The rate R = k/n of an (n, k, (, n, (r, 5))q secret 
sharing scheme is bounded as. 


R < 


r 

r 5 


( 

n 


(23) 


Proof: For an {n,k,£,{r,S))q scheme we construct a 
set of size m = n similar to algorithm 1 except instead of 
choosing a set of size 1 in steps 2 and 5, we find a set of 
size 5. Then using the same arguments we must have at least 
V = mj (r-|-(5) number of steps. Hence, subtracting the number 
recoverable symbols 5v from the m symbols we must have, 

71 

k-\-£<m — 5v = n — 5 -r 

r-\-S 


k-\- £ ^ r 
n ~ r -\- 5 


Construction: Note that, any linear g-ary (r, <5)-repairable 
error-correcting code of length n and dimension k will give 
rise to a (n, k, 0, (r, (5))-secret sharing scheme. In [19, Sec. 6], 
an (r, <5) repairable code has been constructed using bipartite 
graphs of large girth. In particular, that construction results in 
parameters such that 

k r — 6 
- > -■ 

n r -\- 5 

It can also be seen from the discussion of section II-B 
that Gabidulin precoding (eq. (16)) would give an (-secure 
construction with alphabet F^w, N > n, from any optimal 
linear (n, k-i-£, 0, (r, (5))g-secret sharing scheme. Thus, for any 
(n, k-\-£, 0, (r, S))q secret sharing scheme achieving the upper- 
bound in eq. (22) we can achieve the corresponding upper- 
bound in theorem 9. Hence, using the code of [19, Sec. 6] 
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in conjunction with the Gabidulin precoding, it is possible to 
obtain a rate of 

k r — 6 i 
n r + d n 

which is an additive term of away from the optimum 
possible. 


B. The case of m < n. 

The bound for general case of m < n can be deduced 
from the same arguments as above. In fact, by slightly gen¬ 
eralizing algorithm 1, we get the following result; for any 
(n, k, £, m, (r, ^))g-secret sharing scheme , 


k + i < m — 


m 

r + S 


S-h 


(24) 


where h = (m mod (r + 6) — r)"'" and '.= I ’ 

toO. 

Note that, this results in slightly weaker bound for the 
case of TO = n than eq. (23). In general for m < n and 
arbitrary values of £, we do not have any good construction that 
will be close to the bound. While the expander-graph based 
constructions of (r, 5)-locally repairable codes from [19] can 
be generalized, their performance is very far from the bound 
of eq. (24). 


IV. Security for repairable codes on graphs 

Another extension of local repair property for distributed 
storage has recently been proposed in [13], [14]. Consider a 
Distributed Storage System as a directed graph Q such that a 
node of the graph represents a node of the Distributed Storage 
System and each node can connect to only its out-neighbors for 
repair. We dehne an f-secure code in this scenario as follows. 


A. Repairable Codes on Graph 

Definition 5. Let Q = {\n],E) be a graph on n nodes. 
An {n,k,£,m,Q)q-secret sharing scheme consists of a ran¬ 
domized encoder f that can store a uniformly random secret 
S & on n shares/nodes, C = f{S), C G F”, such that the 
system is £-secure (cf eq. (3)) and the data can be recovered 
from any m shares (cf. eq. (2)). In addition the share of any 
node can be recovered from its neighbors i.e. 

H{C.\CN(i))=0 

where N(i) = {j G [n] : {i,j) G E} denotes the neighbors 
(out-neighbors in the case of a directed graph) of node i in 
the graph Q = ([n], E). 

A bound on the capacity of such a scheme in directed graphs 
for £ = 0 (no security) was derived in [15], 

m > k-f max \U\ (25) 

uei(Gy. 

\N{U)\<k-l 

where I{G) denotes the set of induced acyclic subgraphs in 
G, and N(U) := Ui^uN(i) \ U denotes the neighbors of U. 
For undirected graphs we have the same bound with 1(G) 
denoting the collection of all independent sets of the graph. 


The lower bound on to for an f-secure scheme on a graph G 
is given in the following. 

Theorem 10. For any {n,k,£,m,G)q-secret sharing scheme 
on a directed graph G, m, satisfies the following lower bound, 

m>k-\-£-\- max \U\ (26) 

uaxiQ): 

\N{U)\<t+k-l 

where 1(G) denotes the set of induced acyclic graphs in G. 

Proof: Since any to co-ordinates in the shares C = 
(C'i)iG[n] can recover the secret S we must have, 

TO > |VF| -f 1 (27) 

for all W C [n] such that the H(S\Cw) > 0. Let U be an 
acyclic subgraph U G 1(G), such that N(U) < £ -\- k — 1. 
Construct a set V D {U U N(U)} by adding any £ -\- k — 1 — 
|Af((7)| nodes to UGN(U). Thus, |1/| = A:-f £-f |C/| - 1. We 
show that H(S\Cv) > 0 for any such V. 

Note that for any three random X, Y, Z variables we must 
have. 


H(X\Y, Z) = H(X, ZjY) - H(ZIY) 

= H(XIY) -h H(Z\X, Y) - H(Z\Y) 

> H(X\Y) - H(Z). (28) 

Assume that the eavesdropper selects an ^-subset £ C [n] 
in the set V. Then, since the eavesdropper must not get any 
information about the secret, 

H(S\C£) = H(S) (29) 

Since the sub-graph U is acyclic the nodes in U must be a 
function of the leaf nodes and the nodes in N(U). Now, the 
leaf nodes must also be a function of N(U) since their out- 
neighbors can only be in N(U). Therefore, 

H(S\Cv) = H(S\Cn(u)) = H(S\C£,Cn^u)\£) 

> H(S\C£) - H(C^^u)\£) 

H(S) - H(CMiu)\£) 

where (a) and (b) follow from eq. (28) and eq. (29) respec¬ 
tively, and (c) is is true since \N(U) \ F| = fc — 1. ■ 

When m = n, i.e. when the scheme does not need to protect 
against catastrophic failures, we can formulate a converse 
bound for repairable codes on graphs that does not follow 
directly from the above theorem. 

Theorem 11. Consider an (n,k,£,n,G)q secret sharing 
scheme. The secrecy capacity of the scheme satisfies the 
following upper-bound. 

k <n-\U\-\£\ (30) 

where U is the largest acyclic induced subgraph in G when G 
is a directed graph, and it is the largest independent set when 
G is undirected. 

Proof: We will show the proof for G directed. Consider 
the shares Cjj corresponding to the nodes in [7 C [nj. The 






recovery set of any node in U can contain its children in U or 
co-ordinates in [n] \ U. Since U is ayclic, all the leaf nodes 
of U have recovery sets in \n] \ U. Thus, we can recover 
all the leaf nodes from the co-ordinates in [n] \ U. Now, we 
can recursively recover all the co-ordinates of U from the co¬ 
ordinates in [n] \ U. Thus, 

HiCu\C[r,]\u)=0 (31) 

Equation (31) is true because all the leaf nodes in U must 
have their recovery sets in [n] \ U. And by recovering the leaf 
nodes we can recover all nodes in U. Now, since H{S\C) = 0 
we must have from eq. ( 31 ), 

H{S\C^^^\u) = 0 ( 32 ) 

Now, suppose that the eavesdropper selects an ^-subset £ € 
[n] \ U. Then, we must have, 

H{S) = H{S\C£) ( 33 ) 

Therefore, using eqs. ( 32 ) and ( 33 ) we have, 

HiC[n]\u\C£) = H{C[n]\u\C£) + H {S\C [n]\U, C s) 

= HiS,C[^^\u\C£) 

= H{S\C£) + HiC[r,]\u\S,C£) 

= H{S)+H{C[^^\u\S,C£) 

=> H{S) = iT(C[„]\y|C£) - C£) 

H{S) < <n-\U\-e. 


Note that the bound in eq. (30) parallels the feedback vertex 
set upper-bound in [15, Prop. 11]. Here, a feedback vertex set 
of a graph is a set of nodes such that every cycle in the graph 
has a vertex in the set. 

B. Achievable Schemes for Secure Repairable Codes on 
Graphs 

In this section we consider construction of (n, k, £, m, Q)q- 
secret sharing scheme only when m = n. We do not have any 
nontrivial construction for the case of m <n. 

Consider a secret sharing scheme for the case of undirected 
graphs (definition 5). A maximum matching M.{Q) of the 
graph Q is defined as the set of edges of maximum cardinality 
such that no two edges have a vertex in common. To construct 
a recoverable scheme for this code, with input x € 
we assign a coordinate of x to both vertices for every edge in 
A4{Q). For recoverability, we note that a symbol in vertex v 
can be recovered from u, where {v,u) S Ai{Q). 

Suppose |Af(0)| = k + £. Consider the vector input x G 
jj'fc-i-r J.Q jjjg above scheme. We set a: = G x [s r],s G 
F^, r G F^, where s is the secret, r is an instance of a uniform 
random vector, and G is the {k + £) x {k + £) Vandermonde 
matrix G = [a{~^]ij with {ai}^ distinct elements in F^. Thus, 
from lemma 6, we see that this scheme is ^-secure as well as 
recoverable. 

The capacity of this scheme is k = \M.{Q)\—£ > — £, 

where U is the maximum independent set. This is true since if 
we remove both end-vertices of the edges of the matching then 
we are left with an independent set. Compared to eq. (30), we 


are an additive term of at most away from what is the 

maximum possible. 

For directed graphs Q = {[n],E) we use the repairable 
codes presented in [15] below to construct a secure scheme. 
Suppose that the graph has K ■.= k + £ vertex disjoint cycles. 
Then it is easy to see that we can form a locally repairable 
scheme capable of storing k -\- £ symbols (one symbol per 
cycle) by repeating the same symbol on every vertex in a 
cycle. Hence, it is possible to store as many symbols as the 
maximum number of vertex disjoint cycles in the graph. In 
[ 15], it was shown that we can do better by using vector codes. 
We describe below the vector linear LRC codes constructed 
in [15]. 

Consider the set V of all cycles in Q{\n\,E). Suppose, H : 
7^ —> Q assigns a rational number to every directed cycle. Fet 
V(G), G € V denote the vertices of the cycle G. Let K denote 
the maximum value of ^(G), over all such mappings 

n, under the following constraint, 

^ n(G)<l, V*G[n]. 

c-.iev{C) 

Let the optimal assignment H on 7^ be denoted as n(G) = 
11^, where n{G),p G Z+. It is possible to find this optimum 
by solving a linear program. Then [15] constructs a vector 
LRC for the graph Q in F^ with storage capability of pK 
symbols and per node storage equal to p symbols. 

Let s G F^^, r G F^^ represent the secret and an in¬ 
stance of a uniform random vector, respectively. We obtain 
X G ¥P^,K := k + £, hy X = G x [s r], where G is 
a pK X pK Vandermonde matrix G = [o-{~^\ij with 
distinct elements in F^. x is then stored in the graph using the 
scheme described above. Since an f-strength eavesdropper can 
only observe at most p£ co-ordinates in a, we can use lemma 6 
to see that the scheme is ^-secure as well as recoverable. 

It is known (cf. [15]) that, 47TIn4iTInlog 2 47T > n — |(7|, 
for U being the maximum acyclic induced subgraph. Hence, 
we must have. 


c log n log log n 

However this achievability result is quite far away from the 
bound of eq. (30). 

V. Perfect Secret Sharing and General Access 
Structures 

So far in this paper we were concentrating on a secret 
sharing scheme that is not perfect, i.e., the access structure 
and the block-list are not complementary. In this section we 
provide results regarding existence of locally repairable of 
perfect secret sharing schemes and the relation between sizes 
of shares and secret in those schemes. 


A. Perfect access structures with locality 

To make the (n,k,£,m,r) secret sharing scheme perfect, 
we must have m = £ + 1. This results in a threshold secret¬ 
sharing scheme. Now, from eq. (8) we have. 
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Thus, for storing any secret we must have r > f+1 = m. Since 
any secret sharing scheme works when r > m (local repair in 
this case imply full revelation of secret) only trivial locally 
repairable codes are possible for threshold secret sharing 
schemes. This implies the following statement. 

Proposition 12. A threshold secret sharing scheme is not 
locally repairable. 

Note that, perfect secret sharing schemes are a natural 
generalization of threshold schemes. Although for threshold 
schemes the locality cannot be small/nontrivial, we show 
that this is not true for general access structures and perfect 
schemes. Indeed, the following is true. 

Proposition 13. There exists an access structure .4s, for which 
a perfect secret sharing scheme is possible with arbitrary non¬ 
trivial locality r i.e. r < min, 4 g^^|A|. 

Proof: Let n, k be such that r\K and (r + l)|n. Consider 
an {n, K,r, {Qj}^) maximally recoverable LRC (definition 2). 
We know that such codes exist from [7]. Now, we use the 
Gabidulin precoding method described above to construct a 
(n, fc = l,f = K — l,m = k(1 + l/r),r) secret sharing 
scheme from this code. 

Define the access structure to be .4s = {A C [n] : 

min{|A n Qj|,r} > k}. Now given any A G As, 
a user accessing the shares corresponding to A can determine 
the secret sq because the set always contains k shares of a 
punctured {nr /(r + 1), k)-MDS code. 

For a perfect secret sharing scheme the block-list is given 
by Bs = {B : 14 Qj\,r} < k}. Assume 

that the eavesdropper has access to a set S € Bs- Construct 
the following set of size at most k — 1 from B, 

S'= CS 

where N/ C Nj ,Nj = B Ci Qj is obtained by removing any 
one co-ordinate if |A(j| > r, otherwise N/ = Nj. Note that 
|i3'| < K. Since all the shares in B are recoverable from B' C 
B, an eavesdropper with access to the nodes in B is equivalent 
to an eavesdropper with access to B'. And since \B'\ < i = 
K — 1, the eavesdropper does not get any information about 
the secret. ■ 

Can the above proposition be made general? Is it possible 
to characterize the locality for general secret sharing schemes? 
Shamir’s [22] perfect threshold secret sharing scheme for the 
access structure As = {A C [n] : |A| > k} is one of the first 
general construction of secret sharing protocols. The scheme 
is defined for a scalar secret s G F and a set of n participating 
nodes P. The scheme uses an (n, k) Reed Solomon code 
defined using the polynomial a{x) = s -f where 

Ti are instances of uniform random variables in F. 

Ito, Shaito, and Nishizeki [11] define a generalization of 
Shamir’s scheme that works for arbitrary monotone access 
structures. Define a maximal element S G S as a set such 
that A A B => A ^ A. Similarily, define a minimal set 
A G A as a set such that B C A B A. Consider the 
set of maximal elements of the block-list B, denoted . The 

IB+l-l 

scheme uses the generator polynomial a{x) = s -f 'Y/ ^iX^ 

i=l 


to generate |i3^| shares ~ one share corresponding 

to each maximal set in B. The shares are distributed such that 
each user gets the shares corresponding to the subset it does 
not belong to, i.e. participant node p gets the shares 

{cB-.piB,B£B^} (34) 

Now, suppose that share of a node p is lost in a secure code 
with participants P and block-list B. To recover the share of 
p we access the shares of participants in the set TZ{p) where 
the optimal set TZ{p) is 

Ti{p) = min |i?|. (35) 

R^B 

To have non-trivial locality, one must have maxp \R.{p)\ to be 
strictly less than the maximal sets in the block-list. 


B. Size of a share for perfect secret sharing with locality 

We know that, for perfect secret sharing schemes, the size of 
the secret cannot be larger than the size of a share [2, Lemma 
2]. Let us see why this statement is true. Let the secret s 
belong to a domain /C and the share of node j belong to ICj. 
Assume that there exists a perfect secret sharing scheme which 
realizes the access structure A when |/C| < \lCj\. Let B C [n] 
be a minimal set in A such that j G B. Define B' — B \ {j}. 
Then, since the secret sharing scheme is perfect, for every 
value of the the shares in Bj all secrets in K must have the 
same probability. Thus, since the value of the shares of B 
determine the secret completely there must exist an injective 
mapping from K to Kj. But since \Kj\ < |iT| this cannot be 
possible. 

In [5] the minimum node storage required for arbitrary 
monotone access structures is analyzed. In that paper, an 
access structure was constructed for which the sizes of the 
shares has to be n/log{n) times the size of the secret for 
any perfect scheme. For secret sharing schemes with local 
repairability and fixed recovery sets, all monotone access 
structures are not feasible. The minimal sets of the access 
structure cannot include any recovery set. Here, we extend 
the result in [5] to the restricted class of monotone access 
structures. 

Assume (r -f l)\n. Suppose that the secret denoted by the 
random variable S is stored on n shares as Ci,i G [n] and 
the shares have locality r (eq. (4)). Consider a partition of [n], 
Qj : Qj,j G [n/{r-{- 1)] such that the recovery sets are given 
by eq. (18). For a perfect secret sharing scheme on [n] with 
monotone access structure As, the minimal sets A* of As, 
must satisfy, 

A G a: A 2 Qj • (36) 

Denote this class of monotone access structures with Ms. We 
have the following result for the minimum size of a share for 
secret sharing schemes with access structure As G Mg. 


Theorem 14. Consider distribution of shares of secret S to 
n nodes with locality r, recovery sets as in eq. (18). Then, 
there is an access structure As G Mg (eq. (36)), such that any 
perfect scheme for As, if exists, must satisfy. 


a > 


(r -I- l)n 
r log n 


H{S). 


(37) 
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where a is the average entropy of the shares. 

Proof: First, let us define a polymatroid {Q = {[n], S'}, (/>) 
as follows, 

HA) = A C [n] (38a) 

= AC[n] (38b) 

A polymatroid function must satisfy the following properties, 
PI fiA) > 0 for all A C Q, ^(0) = 0 
P2 (j) is monotone i.e. A C B C Q, then (j){A) < H^) 

P3 ^ is submodular i.e. (/)(A) + (/)(i3) > (l>{A[JB) + 4>{AnB) 
for any A,BCQ 

Note that, the definition in eq. (38) satisfies all the conditions 
above. In addition, the definition satisfies the following prop¬ 
erties. 

Pa (j){A, S) = HA), for every A& As 
Pb HA, S) = HA) + 1, for every A ^ As 
which easily follow from the recovery and the security prop¬ 
erties i.e. H{S\cb) — H{S) and H{S\ca) = 0, A € As and 
B G Bs = and the definition in eq. (38). 

Using properties (PI) to (P3) and properties (Pa) and (Pb) 
we have the following result, for any A,BgAs such that 

AnB ^As, 

(j){A, S) + (j){B, S) > f{{A U B),S) + f{{A n B), S) 
fiA) + f{B) > f{A \JB)^(j){Ar^B) + l (39) 

Consider the set M of size p such that (r + l)\rj and it 
contains p/(r -b 1) partitions Qj. Another set C [n] \ M : 
\N\ = v := 2^ — (r + 2 )'^Ar+t) _(_ i is chosen such that 
|A^ n Qjl < r, Vj. The parameter p for the size of the sets 
M, N is chosen to be the largest possible, i.e. the maximum 
f} satisfying, 

rj - -H— + 2" - (r -b 2)^Ar+i) + i (49) 

[r + 1J r + 1 

Now, construct a sequence for Mi G 2^ of 

length i/, such that it satisfies the following conditions for 
all sets Mi in the sequence. 

Cl If for any partition Qj, Qj Cl {Mi — f 0 and | Qj n 

Mi\ > r, then \Qj fl Mi+i\ < r 
C2 M, % Mi,,i< i' 

To construct the sequence {Mi\- of length v satisfying con- 
ditions Cl and C2, we hrst construct a sequence {Mf}^J^ , 
M'i C M : |M'| < It is easy to see that all subse¬ 

quences of {A'i} satisfy condition C2. From this sequence we 
remove all sets Mfi > 1 such that \{Mo — Mf) Cl Qj\ < 1. 
Note that, the number of the sets removed is, 

^ Hi/{r + 1)\ ^ ^ ^ 2 )WU+i) _ 1 . 

l<i<rj/r-\-l ^ 


Let N = {bi,..., Define another sequence of sets 

Afi = {^ 1 ; • ■ •; * S ['^“1] Nq = 0. Consider a 

monotone access structure ,4,^ that contains the sets Ui := 
Mi U Ni, i G (0,..., ly — 2}. Let the minimal sets in this 
access structure be. 


- 4 : 


|a C Ui : |An Qj\ = min{|An Qj\,r}, Vf S 


n 


r -b 1 
(41) 


Thus, As G Mg. 

Consider the following sets P = NiU M and Q = U 
A^i+i. Since P Q Ui and Q D Ui+i, P,Q G As- Now, P n 
Q = NiLiAIij. 1 . From condition Cl and eq. (41), we see that 
there exists a set A* £ A*, A* C Ui such that P Cl Q C A*. 
Therefore, P Cl Q ^ As- Applying eq. (39) on P, Q, we have. 


[0(7V, U M) - </.(A^, U M,+i)] 

- [HN^+l U M) - f{N,+i U M,+i)] > 1. (42) 


Using property (P3) we have. 


f{N,+i U M,+i) - f{N, U M,+i) > HN^+l) - H^r)- (43) 


Thus, combining eqs. (43) and (44) we have. 


[f{N, U M) - f{N,)] - [HN,+i U M) - HN^+l)] > L 

(44) 


Adding eq. (44) for i £ {0,..., — 3} we have. 


fiM) - [HN.-2 U M) - 0(Af,_2)] >12-2. (45) 

Thus, from the recoverability property we have (j>{M) < 
r]r/{r + l)a. Since, M G As and Ni ,-2 ^ As, HNi '-2 U 
M) — (/{N^- 2 ) > 1. Thus, we have from eq. (45), 


2 "^ — (r + 2U/U-1-1) 

a>(r + l) -- H{S). (46) 


Tyr 


Since, rj = U(logn) and (r -b 2)^4'’+i) ^ 2 from eq. (40), 
eq. (46) asympototically (with n) gives. 



Appendix A 
Proof of lemma 6 

Consider the submatrix iT^x(fc-i-r) of G corresponding to 
i rows, U C [n]. Assume that the eavesdropper observes 
li. Wlog assume that rank(iT) = i, since the eavesdropper 
effectively observes rank(iJ) shares. 

” <^= ” Assume that any £ rows of corresponding to i 
L.I. rows of G are L.I. Thus, rank(iTi) = £ by assumption. 
Let c = Ga and H = [Hi H 2 ] where Hi is £ x £ and H 2 is 
£ X k. Then, 

Hir = ci, -H 2 S (47) 


The sequence {Mi]^ thus constructed has length v. To see that 
this sequence satisfies condition Cl note that \{Mq — Mi) n 
Qj\ > l,Vf > 1 implies that {Mi}^ satisfies condition CL 
Thus the constructed sequence satisfies conditions Cl and C2. 


Now, given c/^, for every s there is a unique solution to r = 
Hi~^{cj^ — H 2 S). Since, each of those vectors are equally 
probable the eavesdropper does not get any information about 
s. 
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” => ” Conversely, suppose that Hi is not full rank, (but 
rank(i?) = f by assumption). If for a given c/^ there does not 
exist a solution to eq. (47) for some s e Fj then H{s\ci^) < 
H{s). This happens iff for some a G 

Ha — colspan(7T2) % colspan(i7i) (48) 

where colspan(.) denotes the column span of a matrix and 
Ha — colspan(i72) = {Ha — v : v G colspan(iJ 2 )}- Now, 
colspan(i72) 2 colspan(iTi) since dim(colspan(i7i, iJ 2 )) = 
£ and dim(colspan(iJi)) < f by assumption. Thus, eq. (48) 
is satisfied for a = 0 which implies that in this case the 
eavesdropper does get some information about s. 

Appendix B 

Achievability using Linear Network Codes 

In this appendix, we show that the limit derived in theorem 2 
is achievable using a random linear network code (LNC). The 
rest of this section is devoted to the proof of theorem 5 via the 
technique provided in [16]. We assume that ko is such that, 

m = fco + A:o/r — 1 (49) 

For simplicity, further assume that r divides ko and (r + 1) 
divides n. 

Our roadmap for the proof is the following. We analyze 
the network flow graph in fig. 1, that has been adapted and 
modified from [16]. We first show that this graph has multicast 
capacity ko- Further there exists an LNC for this graph which 
corresponds to an (n, ko, 0, m, r)-secret sharing scheme. Then, 
we impose additional constraints on the LNC for the graph in 
fig. 1 to get an f-secure scheme, i.e., an (n, k = ko—£, I, m, r)- 
scheme. Clearly this satisfies eq. (7). 

We start by describing the graph in fig. 1 (Left). This graph, 
Q{n,ko,m,r) consists of a source node X that transmits ko 
g-ary symbols to T = data collectors G [Tj. We 

assume that X transmit the secret s G Fg“. The unit for the 
edge capacity is taken to be one q-ary symbol per channel use. 
The nodes F^,iy G [r] connect to the source X through links 
with capacity ko/r. The edges that connect Fpjp G 
to i G [n], has capacity r. All the rest of the edges 
have unit capacity. Each of Tp,p G have r incoming 

edges from G [rj. The edges {X,F,^) are broken 

into ko/r unit capacity edges and labelled Si, S 2 , ■ ■ ■, Sfeo 
shown in the subgraph in fig. 1 (Right). Node F^, connects 
to the source X through edges ^ ^ M- 

Let us denote the subset of nodes {Fp, 

{>"(pli)(r+i)+j}j^i} as the repair group. 

A single network use corresponds to a sequence of single 
data transmission on every edge. Assume that, data transmitted 
on the edges {¥/'', G [n] in a single network use 

correspond to the n shares of the secret (i.e., n symbols of 
f{s), where / is the randomized encoding). Note that, the 
data collectors connect to m nodes (shares) and obtain all of 
what X transmits: this must be satisfied for all m-subsets (all 
data collectors). We use the network Q{n,ko,m,r) to show 
the existence of a linear (n, ko, 0, m, r)-secret sharing scheme. 

Lemma 15. Given that the network Q{n, ko,m,r) has mul¬ 
ticast capacity ko, there exists a linear network code with 


repairability r for this network and the scheme correspond¬ 
ing to the data transmitted on the edges (Y/^ is an 

{n, ko, 0, m, r)-secret sharing scheme. 

In the following we show that the network Q(n,ko,rn,r) 
has multicast capacity fcg. 

Definition 6. A min-cut for any two nodes v,u in 
Q{n,ko,m,r), denoted MinCut(u, u), is defined as a subset 
of directed edges of minimum aggregate capacity such that if 
these edges are removed, then there does not exist a path from 
V to u in the graph Q(n, ko,m,r). Let |MinCut(u, u)| denote 
the aggregate capacity of the edges in MinCut(u,u). 

It has been shown [1], [10] that the minimum of the min- 
cuts between a single source and multiple sinks corresponds 
to the multicast capacity of the source. We show that for 
Q{n,ko,m,r) this quantity, minp^jy] |MinCut(2f, FCp)!, is 
equal to fcg. 

Lemma 16. For Q{n,ko,m,r) the multicast capacity is ko- 
That is, 

min |MinCut(X, DCp) \ = ko- (50) 

/xe[T] 

Proof: For ko satisfying eq. (49) we have, 

m = ko + — -1 = {ko/r - l)(r + 1) + r. (51) 
r 

Suppose that the minimum in eq. (50) only contains an 
ni-subset £ of edges in {{X,F,f}{,^^,^^y Assume wlog that 
£ = {(2f, Fi),..., (X, F„j)}. Consider the data collector 
DCp that connects to 7 p, p G [n/(r +1)] nodes in each of the 
repair groups. If 7 p > r — ni the min-cut should include all the 
edges {{Fn^+i,Tp),..., (Fr,rp)}. Otherwise if 7 p < r - m 
the min-cut includes all the 7 p edges (Y™,Y°'^*) in the 
repair group connected to DCp. Therefore, the minimum in 
eq. (50) would correspond to the data collector that covers 
entirely as many repair groups as possible. From eq. (51) we 
see that for a such data collector jp > {r — ni) for all p for 
which 7 p > 0 and for all 0 < ni < r. Therefore, 

min|MinCut(X, DCu)\ = —(r — m) -f ni— = ko 
M r r 

■ 

We know therefore that a random LNC achieves the 
multicast capacity ko for this network. This random LNC 
corresponds to a secret-sharing scheme with n shares such 
that the secret in F*" can be recovered by looking at any 
m shares. Now to satisfy the local repairability constraint 
for this LNC, consider the subgraph containing the nodes 
in the p*^ repair group. Another set of local decoding re¬ 
quirements are imposed on this subgraph. For each r-subset 
of nodes in any local repair group, a local data collector 
LDi,i G [n] connecting to these nodes should be able to 
decode the input to Fp. There are in total n such local decoding 
requirements. These decoding requirements are similar to the 
local repairability requirements for the network flow graph 
considered in [16]. Let Zp G F^ denote the data received by 
Fp. Let Ni denote the r x r local encoding matrix, for the 
edges corresponding to 
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Fig. 1: Left; The information flow-graph Q{n, ko,m,r) adapted from [16]. The left-most vertex is the source node X. The 
T = vertices DC^ are the destination nodes (referred to as the data collectors). Each DC is connected to a different 


TO-tuple of 1^°“* nodes. Each of the intermediate nodes F,^, v G [r] have out-going edges to all the nodes Tp, p G 
Equivalent representation for the subgraph containing nodes F^, and the source X. 


r+l 


. Right; 


local data collector. Therefore, the data received by the 
local decoder is, 

ZpN,, * g {(p _ l)(r + 1) + 1,..., p(r + 1)} (52) 

We see that, for any local data collector LDi to recover the 
data from the node Tp matrix Ni must be full rank. Since 
we know that for a large enough alphabet size q we can 
satisfy these constraints [16, lemma 4], there must exist an 
LNC that satisfies the local repair requirements. Therefore, 
we can construct an (n, Aiq, 0, m, r)-secret-sharing scheme. 

Suppose we write the secret as s = (si,..., Sfeg), and term 
si,..., Sfep as the information symbols. Now, for the random 
LNC obtained above that satisfy the repairability and recovery 
requirements, we relabel k = k^ — £ information symbols 
{s^+i,..., Sfcp} from the source X as secure information 
symbols and the choose each of the rest i symbols {si,..., s^} 
according to a uniformly random distribution in Fg. For such a 
random LNC to be f-secure any eavesdropper EDr, r G [(”)] 
connecting to any £ nodes Y°'^* may be able to recover at 
most the redundant £ symbols {si,..., s^} and should have 
full ambiguity about {s^+i,..., Sfcp}. We show that these 
additional security constraints can be satisfied for a random 
LNC with large enough alphabet and hence we have an 
(n, fc,m, r)-secret-sharing scheme satisfying eq. (7). 

Note that if a code is secure against an eavesdropper who 
can observe any of the £ shares, it must be secure against any 
adversary who can only observe less than £ shares. Therefore, 
for f > r we can ignore all eavesdroppers who choose all 
the (r -f 1) shares of the same repair group. Since one of the 
shares in a repair group can be recovered from the other r 
shares, an eavesdropper who reads t entire repair groups is 
observing effectively only £ — t shares. Therefore, we only 


need to consider the eavesdroppers that observe a maximum 
of r shares in a repair group. Let us denote this sub-set of 
eavesdropper as EDr,T G C [Q)]. 

If (ci,... ,Cn) are the n shares for the secret s, we must 
have the data transmitted on the edges with the 

following linear form. 



02,1 

01,2 • 

02,2 • 

■ 0,2,ko 


/si\ 

\On,l 

On,2 

* On,fcoy 


\Sfco/ 


(53) 


We claim that the security against an eavesdropper EDr,T G 
W' is equivalent to a full-rank requirement on a £ x £ sub¬ 
matrix of A. 


Lemma 17. Let £'^ = {e[, ej, •.., ej} C [n] denotes the 
shares an eavesdropper EDr can observe. We have. 


Cgx = -I- 2l2®[feQ]\[^]. (54) 

If for all eavesdroppers EDr, t G the £ X £ matrix is 
full-rank then the LNC is £-secure. 

Proof: Suppose for some specific r G W, 


(0-ei ,1 0,ei ,2 





^62 , 1 ^62 ,2 ■ ■ 

^e2,£ 

II 

^ 62,-^+1 

^e2,fco 

,1 ,2 ■ ■ 



\“ef,^-|-l 



Since A^ is full rank, there must be a unique solution 
to si, S 2 , ■ ■ ■, for every value of c^r and every value of 
{s^+i,...,SfeJ gF^o. Hence, we have, 

H{s[e]\ce^,S[ko]\[e]) = 0 
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We therefore have the following chain of inequalities that 
establishes that the eavesdropper does not get any information 
about the secret from his observation. 

I{s[ko]\[e];cs^) = H{c£-r) - < 

f - H(cs^\siko]\[e]) + = 

e - /(c£x, s[q|s[fcg]\[q) = e - iJ(s[f]|s[fc(,]\[f]) + 

= £ - H{s[i]) = £- £ = 0 . m 

We also have the following lemma. 

Lemma 18. Consider the subgraph Qe formed by removing 
the edges s^+i, ..., Skgfrom the graph G(n, fco, m, r). For this 
modified network graph the multicast capacity between the 
source and the eavesdroppers EDr,T G W' is £ i.e. 


min \MmCut(X,EDr)\ = £. 


Proof: It is easy to see from the network structure that 
min-cut for every eavesdropper EDt,t G W' corresponds to 
all the edges to which an eavesdropper connects 

in each repair group. Since, every eavesdropper in W' connects 
to £ nodes, the minimum mincut is also £. ■ 

Consider the eavesdropper EDr,T G W' which connects 
to fi, ^ 2 , • ■ •, in/(r+i) nodes in each of the repair groups. 
Therefore, we have 

n/(r+l) 

fp=f 

p=i 

where 0 < fp < G [n/{r + 1)]. Let iV',p G [n/{r + 
1)] denote the tp x r local encoding sub-matrix of Np (see, 
eq. (52)) for the edges (rp,y/") connecting the eavesdropper 
to the repair group. Also, let Dp,p G ['n/{r + 1)] denote 
the rx£ matrix corresponding to the local encoding vectors for 
(F^jLp),!/ G [r], for the induced graph Ge described above. 
The matrix from lemma 17 can be written as. 


A[ = 


N(Ei 

JV'B2 


\ .pU-i r+1 / 


(55) 


We need all of the matrices , r G W' to be full-rank 
simultaneously. Now using lemma 18 we can see that these 
constraints on the matrices DpS can all be satisfied simultane¬ 
ously -with the local repairability and multicast capacity- for 
all r G yV' for a large enough alphabet size [10], [6, Lemma 
4]. Therefore, a random LNC satisfies the full rank constraints 
of lemma 17. 

Therefore, for the random LNC obtained above, for any 
eavesdropper EEr observing C [n], c^x) = 0. 

Since the data collectors can recover s from any m nodes 
and 7L(s[j.Q]\[q|s) = 0, the secret is recoverable from any m 
shares. Therefore, we have an (n, k, £, m, r)-scheme achieving 
the upper bound in eq. (7). 
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